My Data Breach Experience

I suppose it was inevitable. Thirty percent of American consumers were notified of a data breach involving their personal data in 2017, according to Javelin Strategy & Research. This year it was my turn. Here's what happened to me, and how I handled the problem...

Data Breach: My Turn

In the past, I've used a service called ComplyRight to handle tax reporting of money that I pay to contractors. ComplyRight notified me recently that its security had been breached and the data of my contractors and me had been stolen. The specific data include name, address, phone number, email address, and Social Security Number. Yikes, that leaves all of us vulnerable to identity theft.

ComplyRight tendered all the usual mea culpas, and offered all affected parties the following assistance to defend ourselves:

Free credit reports from all three major credit reporting agencies: TransUnion, Experian, and Equifax. That cost ComplyRight nothing; the agencies are legally required to provide one free report annually to everyone in their databases. See my article What's The Deal on Free Credit Reports? to learn to best way to request your free credit reports without getting scammed.

If you find discrepancies in your credit reports, and you think it's due to fraud, contact your local police and have them create a formal police report. The credit reporting agencies will want a copy of a police report when it’s time to correct your records.

File a complaint with the Federal Trade Commission about the incident. You will get a “recovery plan” in return, and your report will be added to the commission’s ID Theft Data Clearinghouse where it may aid investigations.

Break Out the Freeze Gun

Again, none of these remedial steps cost ComplyRight any more than the cost of the letter describing them. But the next phase will.

It is generally a good idea to place a freeze on your credit file with each of the three majors following a data breach. A “credit freeze” prevents anyone from opening a credit account in your name without your explicit permission. It also prohibits the reporting agency from releasing any information about you or your file.

Freezes leave the credit reporting agencies nothing to sell, so they prefer to charge money for freezes. State laws regulate freeze fees, which range from zero to about $10 ComplyRight will pick up the tab for that.

A freeze remains in effect until you lift it. You can lift a freeze permanently or for a specified period. You can even lift it temporarily for just one entity, such as a finance company, and no one else. To order a freeze on your credit file, contact each credit reporting agency as follows: Equifax Freeze (or call 800-685-1111); Experian Freeze (or call 888-397-3742); TransUnion Freeze (or call 888-909-8872).

When you place a freeze you will receive a PIN or password that allows you to release the freeze when you wish. DO NOT LOSE IT or you will jump through many hoops to authenticate a release request. Along with a passcode you will need to submit: Proof of your identity, e. g., a scan of your driver’s license or state ID card; Information about the party that is to receive a credit report or the period of time that access to your report should be granted; Payment of a fee, if applicable.

Reporting agencies are required to honor requests for temporary lifting of freezes within three business days of receiving a written request, or within 15 minutes of receiving a proper phone or online request.

A freeze does not apply to companies with which you have an existing ongoing credit account, for certain types of account review, for collection efforts, fraud control, or “similar activities.” It also does not apply to uses in setting or adjusting insurance rates or claims or underwriting, for certain government purposes, and for purposes of “prescreening” as defined in the FCRA.

Finally, ComplyRight will pay for a year of credit monitoring provided by TransUnion Interactive under the brand MyTrueIdentity.com. I was provided with a coupon code to activate that benefit, and a passcode to use if I registered by phone.

Once I’m enrolled, I will receive an email alert any time my credit file changes. I will also be told who tried to access my credit file. If my identity is stolen and abused, I will get assistance in cleaning up the mess. That’s all very nice, but I wish ComplyRight had paid better attention to IT security in the first place.

On one level, I'm glad I got that letter about the data breach. It reminded me to be vigilant about checking my credit reports. My article What's The Deal on Free Credit Reports? details a strategy to help you keep tabs on your credit report throughout the year, without spending anything.

Your thoughts on this topic are welcome. Post your comment or question below...

Most recent comments on "My Data Breach Experience"

Posted by:
Mark H.
23 Aug 2018

After the Equifax debacle, I placed a freeze on our credit reports with Equifax. Transunion and Experian offer a service that allows locking/unlocking our credit reports at will. https://usa.experian.com and https://www.trueidentity.com (Transunion). You can sign up for free with Transunion, Experian charges a fee based on options selected. My bank also offers IDNotify (Experian) at no cost, which allows me to monitor my credit report.

Posted by:
Gillian
23 Aug 2018

Canadians who want to keep an eye on their credit score can do so for free by signing up with Mogo. I found out about Mogo after the big Equifax data breach of 2017, which affected Canadians as well as Americans -
https://www.mogo.ca/free-credit-score
Many thanks to Bob for helping us stay safer in the cyber jungle!

Posted by:
GuitarRebel
23 Aug 2018

CreditKarma has handled my credit reporting for a couple of years now, alerting me to any suspicious activity in a timely manner. Best of all, it's free.

Posted by:
Henry
23 Aug 2018

Bob, just wondering - will my annual subscription that I pay to LifeLock take care of this type of situation?

Posted by:
Nacar68117
23 Aug 2018

Yes .I have also used CreditKarma for at lease 5 or more years. If there is a inquiry to or from me ,I get notified by e-mail. As far as your [ours] Credit Freeze ,the US government has got involved ,after Sept 21'st it will be FREE ,so if you have not signed up with all 3 of credit report co,s ,do it on or after Sept.21'st ,it will be FREE.

Posted by:
Dr. Sheldon Cooper
23 Aug 2018

@Henry - Lifelock may have also exposed your data (albeit in a slightly different manner): https://krebsonsecurity.com/2018/07/lifelock-bug-exposed-millions-of-customer-email-addresses/

Posted by:
Peter Oh
24 Aug 2018

Oh when will it all end?
Usually these breaches are avoidable & reflect the inadequacies of the organisations concerned.
Their attention to genuine security is plainly second to the business objective of making money.
Until some "per person per breach" penalty is imposed by legislation these instances are likely to appear again & again.

2) Since hubs' IRA almost cleaned out by keylogger invading home computer though security, stopped only by Vanguard recognizing hacker not our home IP address, I've maintained a freeze on the 3 top credit bureaus (there are more).

3) I can't comprehend Bob's paragraph about submitting ID etc as I've only done phone freezes and lifts, no mail or computer, since 24/7 automated line using "Report #" PIN (why online more hacking!) with my prepared ending date for automatic restore, though for safety I prefer daytime c/s rep issuing PIN with expiry date for me to give merchant (banks call this a "selective lift").

Posted by:
Unitary
24 Aug 2018

It is astonishing that U.S.A. citizens concur on having commercial entities, a.k.a. credit reporting agencies, systematically collect their personal data and make these data available to third parties.

Have you ever heard of a peculiar notion called PRIVACY?

That concurrence is almost as astonishing than the fact that U.S.A. citizens still use a barleycorn and a part of human anatomy as units of length.

Posted by:
Clair
24 Aug 2018

Just to let you know there is a fourth place to put a credit freeze on it is Innovis the phone number is 1-800540-2505.I learned this from Krebs on security news letter a while back.Just wanted to let you all know I did this on all four.
Clair

Posted by:
aa1234aa
24 Aug 2018

Here we go again, another complaint about a "security breach". Folks, when your computer is connected to the internet there is no "security". And it doesn't matter if you're a multi-billion dollar company or simple John Doe. If you’re connected, getting hacked should be no surprise, with expressions of “there should be laws” or “there should be penalties”. Try leaving all you home doors and windows open and see what crawls in and what disappears. For all those who talk about Lifelock, CreditKarma, etc.: Do you realize that for these companies to even pretend to "monitor" your accounts you must give them your most sensitive information? That means all your information in yet another database that can (and will) be sold and hacked. You say that Equifax already has your info? No it doesn't, not for the purpose of monitoring. When you sign up for "monitoring" you are authorizing them to put all your sensitive info into a different database that’s subject to another set of regulations which are more lax than the rules used for reporting to financial institutions. Every time you sign up for some internet service or buy something from Amazon or Apply or Google you’re voluntarily distributing your info. Of course, the fact is that if you want to fully live in today’s world you must succumb to the system. And the law is not on your side.

Not saying that you should let down your guard, but there is nothing new here. The best that you can do is to minimize exposure in the first place. Being told, after the fact, that you were compromised, is no solution.

Post your Comments, Questions or Suggestions

* Name:
* Email:
(* = Required field)

(Your email address will not be published)

Comments: (you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.